Office 365 Compliance & PrivacyA. J. SchwabVijay Kumar

OFC-B334

Respond to customer feedback through agile development

Deliver new features and value

Trust and compliance

Cloud valueContinuous innovation with confidence and control

Continuous release cadence

Minor & major updates

Up-to-date, no patching

Security comes first

Evolving standards

Direct feedback

Real-time information

Common support issues

Office Mix

Simplified Admin Center experience

The New Office

New Partner Admin Center

Office 365 Adapter

Embedded Images OWA Policy Tips

Updated Lync mobile clients

Office 365 SSO with SAML 2.0 Identity Providers

Multi-factor authentication

Service Pack 1 for Office 365 ProPlus

SAP and Power BI and Power Query support

Windows Azure Active Authentication

DirSync Scoping and Filtering

Exchange Online Inactive Mailboxes

PDF support for SharePoint Online

Lync Online Integrated Reporting

Office Onlinereal-time co-authoring OneNote for Mac,

Android, iPhone, and iPad updates

Office 365 operated by 21Vianet

Admin App for iOS, Android, and WP

OWA Calendar Search

OneDrive for Business Storage increase

Power Map for Excel

SharePoint Newsfeed App for Windows 8

Lync meeting scheduling from OWA

Office Mobile for iPhone & Android phones

Rights Management Services

OneNote for iPad

What we’ve deliveredExchange Online Address Book Policies

Message Center

EXO: 50 GB Mailboxes

Exchange group naming policy

OWA for iPhone & OWA for iPad

New SharePoint Workflows

Simplified Yammer login

Office Lens

Power Map GA for all Excel 2013 users

OneDrive for Business Improvements

90 Day message trace

OneDrive for Business Sync for Windows

Lync Online Remote PowerShell

Lync mobile client updates

Office 365 Switch Plans

OneNote for iPhone and Android phones

Azure AD Password Sync

Lync and SharePoint Service Reporting

Connecting Skype & Lync

OneDrive for Business apps for Windows 8 & iOS

People View in OWA

1 TB for OneDrive for Business

Office 365 Developer APIs

S/MIME Encryption

Office for iPad + 1.1 update

Project Lite released

July 2013 – June 2014 highlights

Recent & upcoming capabilities

Office for iPad Video in Office 365

Delve & Office Graph

Create, manage, and subscribe to various channels Capture, share, and discover

videos from any device

Secure cloud based video upload, storage and optimized playback

Compliance & Privacy in the cloudThe cloud is still new. You may ask about:

• How well your data is protected in the cloud

• Explaining the cloud to compliance officers, auditors, and regulators.

Earning Trust

Exchange Hosted Services (part of

Office 365)

Hotmail

SSAE-16

U.S.-EU Safe Harbor

European Union Model Clauses

(EUMC)

Health Insurance Portability and Accountability Act

Business Associate Agreement (HIPAA BAA)

Data Processing Agreement (DPA)Active Directory

Microsoft Security Response Center (MSRC)

Global Foundation

Services (GFS)

ISO 27001 Certification

Microsoft Security

Essentials

1st Microsoft

Data Center

Trustworthy Computing

Initiative (TwC)

Microsoft Security Engineering Center -

Security Development Lifecycle (SDL)

Microsoft experience and credentials

Xbox Live

MSN

Bill Gates Memo

Windows Azure

FISMAWindows Update

Malware Protection

Center

SAS-70

Microsoft Online

Services (MOS)

One of the world’s largest cloud providers & datacenter/network operators

CJIS Security Policy

Agreement

2005 2010 2013

Bing/MSN Search

1989 1995 2000

Outlook.com

Principles of Trust for Office 365

It’s your dataYou own it, you control it

We run the service for youWe are accountable to you

Transparent service operation

Privacy by design

ContinuousCompliance

Built inSecurity

Independent verification

Third party validation

Regulatory compliance

Confidence in the results

ComplianceWe support industry standards and organizational compliance

Built-in capabilities for global compliance

Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA

Contractually commit to privacy, security and handling of customer data

Customer controls for compliance with internal

policies

Admin Controls like Data Loss Prevention, Archiving, E-Discovery to enable organizational compliance

How does Office 365 meet Compliance…

Physical Security

Security Best Practices

Secure Network Layer

Data Encryption

Office 365 Services | Master Control Set | Standards

DLP

OME

SMIME

RBAC

RMS

New Cert’s and

more…

Account Mgmt.

Incident Monitoring

Data Encryption

Encryption of stored data and

more…

Data Minimization & Retention

Access Control

Office 365 has over 900

controls today!

Service Capabilities

Customer Controls

Control Set

• Based on NIST Special Publication 800-53

• Internationally recognized security and privacy controls

• Specific and adaptable

Example:

Control Set

• NIST provides a mapping to ISO27001

• We map other standards like SOC 1, SOC 2 and EU Model

Clauses

How the example control appears in our Control Set

Control set absorbs regulatory complexity

Standards & Certifications

SSAE/SOCISO27001

EUMCFERPA

FISMA/FedRAMPHIPAA

HITECHITAR

HMG IL2CJIS

IRS 1075Article 29

SOC 2

GlobalGlobalEurope

U.S.U.S.U.S.U.S.U.S.UKU.S.US

Europe

Global

FinanceGlobal

Europe Education

Government Healthcare Healthcare

DefenseGovernment

Law EnforcementGovernment

Europe

Global

Standards Certificatio

nsMarket Region

Working on ISO 27018

Ever Evolving Approach to Compliance

Market & Competitive Intelligence

Compliance Manageme

nt Framework

Regulatory Impact

Analysis (RSIA)

Define Security,

and Privacy controls

Determine Implementatio

n Requirements

Implement Controls

Document Implementati

on

Continuous Monitoring

Independent

verification (Audits)

Remediation Prioritize

Independent Testing

How Office 365 Controls Meet Compliance

Physical Security

Security Best Practices

Secure Network Layer

Data Encryption

DLP

OME

SMIME

RBAC

RMS

New Cert’s and

more…

Account Mgmt.

Incident Monitoring

Data Encryption

Encryption of stored data and

more…

Data Minimization & Retention

Access Control

Audits

Office 365 has over 900

controls Today!

Service Capabilities

Customer Controls

Office 365 Services | Master Control Set | Standards

Control Effectiveness Assessment (Audit) Schedule

Nov2014

Dec 2015

Jan 2015

Feb 2015

Mar 2015

Apr 2015

May 2015

Jun 2015

Jul 2015

Aug 2015

Sep 2015

Oct 201

5

Nov 2015

ISO FedRAMP MT ISAE3402/SOC

ITAR ISO

Control Effectiveness Assessment (Audit) Schedule

Nov2014

Dec 2015

Jan 2015

Feb 201

5

Mar 2015

Apr 2015

May 2015

Jun 2015

Jul 2015

Aug 2015

Sep 2015

Oct 2015

Nov 2015

ISO FedRAMP MT

ISAE3402/SOC

ISO

Audit cadenceWe audit control effectiveness using 3rd party independent auditors.

Third-Party Auditors

For ISO 27001 audits, Microsoft uses BSI. For ISAE3402/SOC audits, Microsoft uses Deloitte LLP.

For other audits, Microsoft uses SecureInfo and Veris Group.

We use well known or government certified auditors

ISO Audit report – sample

Audit Reports

Right to Examine

Customers can request a copy

of the latest audit reports

Compliance Program

Benefits of Compliance

Controls, compliance, and audits exist to help mitigate risk. Organizations face risk constantly: competitors, external events, and bad actors.

What can you do about a risk? Mitigate, transfer, accept, and avoid.

With Office 365, a number of risks can be mitigated by Microsoft.

Risk Management

Risk Management framework

Part of the responsibility for the secure management of the service lies with each customer.

Managing RiskOffice 365 supports a high degree of customer configuration

• Account Management• Access control• Segregation of duties• Awareness and training• Support requests• Use flexible customer controls in Office 365

Customers must put the following controls in place to ensure the security of their data

Summary

1

4

3

2

Comprehensive controls

Engineering investments

Extensive experience in Enterprise software

Privacy core component of Microsoft’s DNA

Compliance customer controls

Compliance controls

Archiving

Data Retention

& Lifecycle

eDiscovery

Auditing

Data Loss

Prevention

Overview of Security and Compliance controls in Office 365 - http://aka.ms/customercontrols

Data Loss PreventionHelps to

Identify monitor protect

Sensitive data through deep content analysis

Identify

Protect

Monitor

End user education

ALERT

CLASSIFY

ENCRYPT

APPEND OVERRIDE

REVIEW

REDIRECT

BLOCK

Flexible tools for policy enforcement that provide the right level of control

Transport RulesRights ManagementData Loss Prevention

DLP Policy Enforcement

Data Loss Prevention (DLP)

Prevents Sensitive Data From Leaving Organization

Provides an Alert when data such as Social Security & Credit Card Number is emailed.

Alerts can be customized by Admin to catch Intellectual Property from being emailed out.

Empower users to manage their compliance• Contextual policy education• Doesn’t disrupt user workflow• Works even when disconnected• Configurable and customizable• Admin customizable text and actions• Built-in templates based on common

regulations • Import DLP policy templates from security

partners or build your own

Protect sensitive documents from being accidently

shared outside your organization

No coding required; simply upload sample documents

to create fingerprints

Scan email and attachments to look for

patterns that match document templates

DLP document fingerprinting

Email archiving and retention

Preserve Search

Secondary mailbox with separate quota

Managed through EAC or PowerShell

Available on-premises, online, or through EOA

Automated and time-based criteria

Set policies at item or folder level

Expiration date shown in email message

Capture deleted and edited email messages

Time-Based In-Place Hold

Granular Query-Based In-Place Hold

Optional notification

Web-based eDiscovery Center and multi-mailbox search

Search primary, In-Place Archive, and recoverable items

Delegate through roles-based administration

De-duplication after discovery

Auditing to ensure controls are met

In-Place Archive Governance Hold eDiscovery

Privacy

EU Data Protection Authorities validate Microsoft’s approach to privacyArticle 29 Working Party - collection of

data protection authorities in Europe regulating world’s toughest privacy laws

Validation by EU Data Protection Authorities for Microsoft’s commercial commitments for DPA/EU Model Clauses. (covering Office 365, Azure, CRM Online, and Intune)

• Microsoft is the only provider to have received this validation• Standard part of contracts as of July 1st

http://www.tgdaily.com/enterprise/100136-microsoft-gains-eu-security-approval

Why Model Clauses Matter

History of Privacy in Europe

Microsoft was the first major CSP to offer EUMC

Set standards for data protection

Subprocessors

PrivacyPrivacy by design means that we do not use your information for

anything other than providing you services

No Advertising Transparency Privacy controls

No advertising products out of Customer Data

No scanning of email or documents to build analytics or mine data

Various customer controls at admin and user level to enable or regulate sharing

If the customer decides to leave the service, they get to take to take their data and delete it in the service

Access to information about geographical location of data, who has access and when

Notification to customers about changes in security, privacy and audit information

On government snooping…

To be clear, here’s what we do, and what we

don’t do:

We don’t provide any government with direct, unfettered access to

your data.

We don’t assist any government’s efforts to break our encryption or

provide any government with encryption keys.

We don’t engineer back doors into our products and we take steps to

ensure governments can independently verify this.

If as reports suggest there is a bigger surveillance program we aren’t

involved

Transparency

Microsoft notifies you of changes in data center locations and any changes to compliance.

Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis.

How to get notified?

Who has access to your data?

Data Maps and Geographic boundary information provided

Where is Data Stored?

We have a high bar for privacy practices that support global standards for data handling and transfer

Data Centers and Data location

1+ million servers 100+ datacenters

Privacy of your dataWe use customer data for just what they pay us for - to maintain and provide Office 365 Service

Microsoft Online Services Customer Data1 Usage Data Account andAddress Book Data

Customer Data (excluding Core Customer data)

CoreCustomer Data

Operating and Troubleshooting the Service Yes Yes Yes Yes

Security, Spam and Malware Prevention Yes Yes Yes Yes

Improving the Purchased Service, Analytics Yes Yes Yes No

Personalization, User Profile, Promotions No Yes No No

Communications (Tips, Advice, Surveys, Promotions) No No/Yes No No

Voluntary Disclosure to Law Enforcement No No No No

Advertising5 No No No NoUsage Data Address Book Data Customer Data (excluding Core Customer Data*) Core Customer Data

Operations Response Team (limited to key personnel only)

Yes. Yes, as needed. Yes, as needed. Yes, by exception.

Support Organization Yes, only as required in response to Support Inquiry.

Yes, only as required in response to Support Inquiry.

Yes, only as required in response to Support Inquiry.

No.

Engineering Yes.No Direct Access. May Be Transferred During Trouble-shooting.

No Direct Access. May Be Transferred During Trouble-shooting.

No.

PartnersWith customer permission. See Partner for more information.

With customer permission. See Partner for more information.

With customer permission. See Partner for more information.

With customer permission. See Partner for more information.

Others in Microsoft No.No (Yes for Office 365 for small business Customers for marketing purposes).

No. No.

Customer dashboard for compliance

Access to O365 compliance controls

View customer-relevant reports – ISO, SOC Audit reports Notifications about updates, regulatory changes, etc.

Vision for transparency in Compliance

Summary

Earning Trust

Independent Testing

Compliance Benefits

Customer controls

Privacy

Summary

Trust Center• Answer key

questions of Security Compliance Officers

• Dynamic engaging content that is refreshed every two weeks

END OF DECK

Technical Network

Join the conversation!Share tips and best

practices with other Office 365 expertshttp://aka.ms/o365technetwork

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Developer Network

http://developer.microsoft.com

Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC

TechEd Mobile appPhone or Tablet

QR code

Evaluate this session

Managing Office 365 Identities and Services

5

Office 365

Deploying Office 365 Services

Classroomtraining

Exams

+

Introduction to Office 365

Managing Office 365 Identities and Requirements

FLC

40041

Onlinetraining

Managing Office 365 Identities and ServicesOffice 365 Fundamentals

http://bit.ly/O365-Cert

http://bit.ly/O365-MVA

http://bit.ly/O365-Training

Get certified for 1/2 the price at TechEd Europe 2014!http://bit.ly/TechEd-CertDeal

MOC

20346 Designing for Office

365 Infrastructure

MOC

10968

3

EXAM

346EXAM

347

MVA MVA

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.